Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    4 vulnerabilities by probot

    CVE-2023-50728 (GCVE-0-2023-50728)

    Vulnerability from nvd – Published: 2023-12-15 21:59 – Updated: 2024-08-02 22:16
    VLAI
    Title
    Unauthenticated Denial of Service in the octokit/webhooks library
    Summary
    octokit/webhooks is a GitHub webhook events toolset for Node.js. Starting in 9.26.0 and prior to 9.26.3, 10.9.2, 11.1.2, and 12.0.4, there is a problem caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases. The resulting request was found to cause an uncaught exception that ends the nodejs process. The bug is fixed in octokit/webhooks.js 9.26.3, 10.9.2, 11.1.2, and 12.0.4, app.js 14.02, octokit.js 3.1.2, and Protobot 12.3.3.
    CWE
    • CWE-755 - Improper Handling of Exceptional Conditions
    Assigner
    Impacted products
    Vendor Product Version
    octokit webhooks.js Affected: >= 9.26.0, < 9.26.3
    Affected: >= 10.9.0, < 10.9.2
    Affected: >= 11.1.0, < 11.1.2
    Affected: >= 12.0.0, < 12.0.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:16:47.284Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv"
              },
              {
                "name": "https://github.com/octokit/app.js/releases/tag/v14.0.2",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/octokit/app.js/releases/tag/v14.0.2"
              },
              {
                "name": "https://github.com/octokit/octokit.js/releases/tag/v3.1.2",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/octokit/octokit.js/releases/tag/v3.1.2"
              },
              {
                "name": "https://github.com/octokit/webhooks.js/releases/tag/v10.9.2",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/octokit/webhooks.js/releases/tag/v10.9.2"
              },
              {
                "name": "https://github.com/octokit/webhooks.js/releases/tag/v11.1.2",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/octokit/webhooks.js/releases/tag/v11.1.2"
              },
              {
                "name": "https://github.com/octokit/webhooks.js/releases/tag/v12.0.4",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/octokit/webhooks.js/releases/tag/v12.0.4"
              },
              {
                "name": "https://github.com/octokit/webhooks.js/releases/tag/v9.26.3",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/octokit/webhooks.js/releases/tag/v9.26.3"
              },
              {
                "name": "https://github.com/probot/probot/releases/tag/v12.3.3",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/probot/probot/releases/tag/v12.3.3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "webhooks.js",
              "vendor": "octokit",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 9.26.0, \u003c 9.26.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 10.9.0, \u003c 10.9.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.1.0, \u003c 11.1.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 12.0.0, \u003c 12.0.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "octokit/webhooks is a GitHub webhook events toolset for Node.js. Starting in 9.26.0 and prior to 9.26.3, 10.9.2, 11.1.2, and 12.0.4, there is a problem caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases. The resulting request was found to cause an uncaught exception that ends the nodejs process.  The bug is fixed in octokit/webhooks.js 9.26.3, 10.9.2, 11.1.2, and 12.0.4, app.js 14.02, octokit.js 3.1.2, and Protobot 12.3.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-755",
                  "description": "CWE-755: Improper Handling of Exceptional Conditions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-12-15T21:59:00.312Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv"
            },
            {
              "name": "https://github.com/octokit/app.js/releases/tag/v14.0.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/octokit/app.js/releases/tag/v14.0.2"
            },
            {
              "name": "https://github.com/octokit/octokit.js/releases/tag/v3.1.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/octokit/octokit.js/releases/tag/v3.1.2"
            },
            {
              "name": "https://github.com/octokit/webhooks.js/releases/tag/v10.9.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/octokit/webhooks.js/releases/tag/v10.9.2"
            },
            {
              "name": "https://github.com/octokit/webhooks.js/releases/tag/v11.1.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/octokit/webhooks.js/releases/tag/v11.1.2"
            },
            {
              "name": "https://github.com/octokit/webhooks.js/releases/tag/v12.0.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/octokit/webhooks.js/releases/tag/v12.0.4"
            },
            {
              "name": "https://github.com/octokit/webhooks.js/releases/tag/v9.26.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/octokit/webhooks.js/releases/tag/v9.26.3"
            },
            {
              "name": "https://github.com/probot/probot/releases/tag/v12.3.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/probot/probot/releases/tag/v12.3.3"
            }
          ],
          "source": {
            "advisory": "GHSA-pwfr-8pq7-x9qv",
            "discovery": "UNKNOWN"
          },
          "title": "Unauthenticated Denial of Service in the octokit/webhooks library"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-50728",
        "datePublished": "2023-12-15T21:59:00.312Z",
        "dateReserved": "2023-12-11T17:53:36.032Z",
        "dateUpdated": "2024-08-02T22:16:47.284Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26918 (GCVE-0-2021-26918)

    Vulnerability from nvd – Published: 2021-02-09 02:07 – Updated: 2024-08-03 20:33 Disputed
    VLAI
    Summary
    The ProBot bot through 2021-02-08 for Discord might allow attackers to interfere with the intended purpose of the "Send an image when a user joins the server" feature (or possibly have unspecified other impact) because the uploader web service allows double extensions (such as .html.jpg) with the text/html content type. NOTE: there may not be cases in which an uploader web service is customer controlled; however, the nature of the issue has substantial interaction with customer controlled configuration. NOTE: the vendor states "This is just an uploader (like any other one) which uploads files to cloud storage and accepts various file types. There is no kind of vulnerability and it won't compromise either the client side or the server side.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    References
    Impacted products
    Vendor Product Version
    probot bot Affected: 2021-02-08
        cpe:2.3:a:probot:bot:2021-02-08:*:*:*:*:discord:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:probot:bot:2021-02-08:*:*:*:*:discord:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "bot",
                "vendor": "probot",
                "versions": [
                  {
                    "status": "affected",
                    "version": "2021-02-08"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-26918",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-01T15:08:56.785244Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-434",
                    "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:13:20.451Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:33:41.484Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://raw.githubusercontent.com/TheLastVvV/Vulnerability-Reports-and-CVE/main/Reports/Discord%20Probot%20-%20Unrestricted%20File%20Upload.txt"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/161347/Discord-Probot-Arbitrary-File-Upload.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The ProBot bot through 2021-02-08 for Discord might allow attackers to interfere with the intended purpose of the \"Send an image when a user joins the server\" feature (or possibly have unspecified other impact) because the uploader web service allows double extensions (such as .html.jpg) with the text/html content type. NOTE: there may not be cases in which an uploader web service is customer controlled; however, the nature of the issue has substantial interaction with customer controlled configuration. NOTE: the vendor states \"This is just an uploader (like any other one) which uploads files to cloud storage and accepts various file types. There is no kind of vulnerability and it won\u0027t compromise either the client side or the server side."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-16T20:42:48.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://raw.githubusercontent.com/TheLastVvV/Vulnerability-Reports-and-CVE/main/Reports/Discord%20Probot%20-%20Unrestricted%20File%20Upload.txt"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/161347/Discord-Probot-Arbitrary-File-Upload.html"
            }
          ],
          "tags": [
            "disputed"
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2021-26918",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "** DISPUTED ** The ProBot bot through 2021-02-08 for Discord might allow attackers to interfere with the intended purpose of the \"Send an image when a user joins the server\" feature (or possibly have unspecified other impact) because the uploader web service allows double extensions (such as .html.jpg) with the text/html content type. NOTE: there may not be cases in which an uploader web service is customer controlled; however, the nature of the issue has substantial interaction with customer controlled configuration. NOTE: the vendor states \"This is just an uploader (like any other one) which uploads files to cloud storage and accepts various file types. There is no kind of vulnerability and it won\u0027t compromise either the client side or the server side.\""
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://raw.githubusercontent.com/TheLastVvV/Vulnerability-Reports-and-CVE/main/Reports/Discord%20Probot%20-%20Unrestricted%20File%20Upload.txt",
                  "refsource": "MISC",
                  "url": "https://raw.githubusercontent.com/TheLastVvV/Vulnerability-Reports-and-CVE/main/Reports/Discord%20Probot%20-%20Unrestricted%20File%20Upload.txt"
                },
                {
                  "name": "http://packetstormsecurity.com/files/161347/Discord-Probot-Arbitrary-File-Upload.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/161347/Discord-Probot-Arbitrary-File-Upload.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2021-26918",
        "datePublished": "2021-02-09T02:07:20.000Z",
        "dateReserved": "2021-02-09T00:00:00.000Z",
        "dateUpdated": "2024-08-03T20:33:41.484Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-50728 (GCVE-0-2023-50728)

    Vulnerability from cvelistv5 – Published: 2023-12-15 21:59 – Updated: 2024-08-02 22:16
    VLAI
    Title
    Unauthenticated Denial of Service in the octokit/webhooks library
    Summary
    octokit/webhooks is a GitHub webhook events toolset for Node.js. Starting in 9.26.0 and prior to 9.26.3, 10.9.2, 11.1.2, and 12.0.4, there is a problem caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases. The resulting request was found to cause an uncaught exception that ends the nodejs process. The bug is fixed in octokit/webhooks.js 9.26.3, 10.9.2, 11.1.2, and 12.0.4, app.js 14.02, octokit.js 3.1.2, and Protobot 12.3.3.
    CWE
    • CWE-755 - Improper Handling of Exceptional Conditions
    Assigner
    Impacted products
    Vendor Product Version
    octokit webhooks.js Affected: >= 9.26.0, < 9.26.3
    Affected: >= 10.9.0, < 10.9.2
    Affected: >= 11.1.0, < 11.1.2
    Affected: >= 12.0.0, < 12.0.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:16:47.284Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv"
              },
              {
                "name": "https://github.com/octokit/app.js/releases/tag/v14.0.2",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/octokit/app.js/releases/tag/v14.0.2"
              },
              {
                "name": "https://github.com/octokit/octokit.js/releases/tag/v3.1.2",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/octokit/octokit.js/releases/tag/v3.1.2"
              },
              {
                "name": "https://github.com/octokit/webhooks.js/releases/tag/v10.9.2",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/octokit/webhooks.js/releases/tag/v10.9.2"
              },
              {
                "name": "https://github.com/octokit/webhooks.js/releases/tag/v11.1.2",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/octokit/webhooks.js/releases/tag/v11.1.2"
              },
              {
                "name": "https://github.com/octokit/webhooks.js/releases/tag/v12.0.4",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/octokit/webhooks.js/releases/tag/v12.0.4"
              },
              {
                "name": "https://github.com/octokit/webhooks.js/releases/tag/v9.26.3",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/octokit/webhooks.js/releases/tag/v9.26.3"
              },
              {
                "name": "https://github.com/probot/probot/releases/tag/v12.3.3",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/probot/probot/releases/tag/v12.3.3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "webhooks.js",
              "vendor": "octokit",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 9.26.0, \u003c 9.26.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 10.9.0, \u003c 10.9.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.1.0, \u003c 11.1.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 12.0.0, \u003c 12.0.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "octokit/webhooks is a GitHub webhook events toolset for Node.js. Starting in 9.26.0 and prior to 9.26.3, 10.9.2, 11.1.2, and 12.0.4, there is a problem caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases. The resulting request was found to cause an uncaught exception that ends the nodejs process.  The bug is fixed in octokit/webhooks.js 9.26.3, 10.9.2, 11.1.2, and 12.0.4, app.js 14.02, octokit.js 3.1.2, and Protobot 12.3.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-755",
                  "description": "CWE-755: Improper Handling of Exceptional Conditions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-12-15T21:59:00.312Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv"
            },
            {
              "name": "https://github.com/octokit/app.js/releases/tag/v14.0.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/octokit/app.js/releases/tag/v14.0.2"
            },
            {
              "name": "https://github.com/octokit/octokit.js/releases/tag/v3.1.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/octokit/octokit.js/releases/tag/v3.1.2"
            },
            {
              "name": "https://github.com/octokit/webhooks.js/releases/tag/v10.9.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/octokit/webhooks.js/releases/tag/v10.9.2"
            },
            {
              "name": "https://github.com/octokit/webhooks.js/releases/tag/v11.1.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/octokit/webhooks.js/releases/tag/v11.1.2"
            },
            {
              "name": "https://github.com/octokit/webhooks.js/releases/tag/v12.0.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/octokit/webhooks.js/releases/tag/v12.0.4"
            },
            {
              "name": "https://github.com/octokit/webhooks.js/releases/tag/v9.26.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/octokit/webhooks.js/releases/tag/v9.26.3"
            },
            {
              "name": "https://github.com/probot/probot/releases/tag/v12.3.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/probot/probot/releases/tag/v12.3.3"
            }
          ],
          "source": {
            "advisory": "GHSA-pwfr-8pq7-x9qv",
            "discovery": "UNKNOWN"
          },
          "title": "Unauthenticated Denial of Service in the octokit/webhooks library"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-50728",
        "datePublished": "2023-12-15T21:59:00.312Z",
        "dateReserved": "2023-12-11T17:53:36.032Z",
        "dateUpdated": "2024-08-02T22:16:47.284Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26918 (GCVE-0-2021-26918)

    Vulnerability from cvelistv5 – Published: 2021-02-09 02:07 – Updated: 2024-08-03 20:33 Disputed
    VLAI
    Summary
    The ProBot bot through 2021-02-08 for Discord might allow attackers to interfere with the intended purpose of the "Send an image when a user joins the server" feature (or possibly have unspecified other impact) because the uploader web service allows double extensions (such as .html.jpg) with the text/html content type. NOTE: there may not be cases in which an uploader web service is customer controlled; however, the nature of the issue has substantial interaction with customer controlled configuration. NOTE: the vendor states "This is just an uploader (like any other one) which uploads files to cloud storage and accepts various file types. There is no kind of vulnerability and it won't compromise either the client side or the server side.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    References
    Impacted products
    Vendor Product Version
    probot bot Affected: 2021-02-08
        cpe:2.3:a:probot:bot:2021-02-08:*:*:*:*:discord:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:probot:bot:2021-02-08:*:*:*:*:discord:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "bot",
                "vendor": "probot",
                "versions": [
                  {
                    "status": "affected",
                    "version": "2021-02-08"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-26918",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-01T15:08:56.785244Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-434",
                    "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:13:20.451Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:33:41.484Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://raw.githubusercontent.com/TheLastVvV/Vulnerability-Reports-and-CVE/main/Reports/Discord%20Probot%20-%20Unrestricted%20File%20Upload.txt"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/161347/Discord-Probot-Arbitrary-File-Upload.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The ProBot bot through 2021-02-08 for Discord might allow attackers to interfere with the intended purpose of the \"Send an image when a user joins the server\" feature (or possibly have unspecified other impact) because the uploader web service allows double extensions (such as .html.jpg) with the text/html content type. NOTE: there may not be cases in which an uploader web service is customer controlled; however, the nature of the issue has substantial interaction with customer controlled configuration. NOTE: the vendor states \"This is just an uploader (like any other one) which uploads files to cloud storage and accepts various file types. There is no kind of vulnerability and it won\u0027t compromise either the client side or the server side."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-16T20:42:48.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://raw.githubusercontent.com/TheLastVvV/Vulnerability-Reports-and-CVE/main/Reports/Discord%20Probot%20-%20Unrestricted%20File%20Upload.txt"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/161347/Discord-Probot-Arbitrary-File-Upload.html"
            }
          ],
          "tags": [
            "disputed"
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2021-26918",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "** DISPUTED ** The ProBot bot through 2021-02-08 for Discord might allow attackers to interfere with the intended purpose of the \"Send an image when a user joins the server\" feature (or possibly have unspecified other impact) because the uploader web service allows double extensions (such as .html.jpg) with the text/html content type. NOTE: there may not be cases in which an uploader web service is customer controlled; however, the nature of the issue has substantial interaction with customer controlled configuration. NOTE: the vendor states \"This is just an uploader (like any other one) which uploads files to cloud storage and accepts various file types. There is no kind of vulnerability and it won\u0027t compromise either the client side or the server side.\""
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://raw.githubusercontent.com/TheLastVvV/Vulnerability-Reports-and-CVE/main/Reports/Discord%20Probot%20-%20Unrestricted%20File%20Upload.txt",
                  "refsource": "MISC",
                  "url": "https://raw.githubusercontent.com/TheLastVvV/Vulnerability-Reports-and-CVE/main/Reports/Discord%20Probot%20-%20Unrestricted%20File%20Upload.txt"
                },
                {
                  "name": "http://packetstormsecurity.com/files/161347/Discord-Probot-Arbitrary-File-Upload.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/161347/Discord-Probot-Arbitrary-File-Upload.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2021-26918",
        "datePublished": "2021-02-09T02:07:20.000Z",
        "dateReserved": "2021-02-09T00:00:00.000Z",
        "dateUpdated": "2024-08-03T20:33:41.484Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }